Obfuscation is not security

Few days ago, I was trying some indie games with a friend when we found one with the typical "30 minutes of full gameplay" demo timer. For the joy of achieving it, I asked him if we should try to hack that timer.

The first idea was to just search the memory for values (with Cheat Engine is quite easy) and try to replace them with something like 9999 minutes.

No luck with minutes or seconds individually, neither with total seconds remaining... This is typical when games hide or encrypt memory values or keep a float number with milliseconds. But as the time remaining was persistant between gaming sessions, a different vector of attack could be to find where the value is stored. And for that, nothing like Process Monitor.

We tried some filters to check Registry I/O, and just found where the full version serial number would be read if present.

Switched to filtering to file I/O, and apart from some logs (looks like they left Ogre3D debug logs on, but at least cut to a few KBs only) apparently no clue.

Had we lost the fight? Maybe, but that data had to be being written somewhere, so I started taking a final look at every file output call. And then I realized something unusual.

The game had all the data except the logs inside pak/zip files, but just before killing the main thread it was writing a texture file. Why writing into a texture (when you usually only read them), why doing on a separate file instead of a packed one and why doing it exactly before exiting the game?

I did a quick test: Copied the file, launched the game, waited a few seconds and quit. I overrided back the original file and launched the game. Guess what happened? The timer was back with the first launch time.

We had found the counter. A simple second test (removing write permissions to the texture file) gave the desired results: unlimited fullmode playtime.

We didn't had to dissasemble or reverse engineer any executable. We didn't had to decrypt any key. A simple write-locking of a file and we had the full version.

If the timer were encrypted it could be even stored in the Registry, I could not have done anything with it without decrypting it first.

So the lesson here is that, maybe by luck, maybe by skills, maybe just by trying, but if you just obfuscate sensitive data instead of a real encription or some other secure means, someone can eventually get to it and do bad things.

PS: Of course I would not tell the name of the game. The idea was to lecture about obfuscation, not about how to crack a specific game.

Actually the texture file was being written each second aprox., but we didn't knew that until after finding "the secret".

Comments?

Posted by Kartones on 2010-05-09